Snort mailing list archives

Re: ignore host for just a couple of rules, not all

From: Brian Caswell <bmc () mitre org>
Date: Fri, 15 Jun 2001 09:02:18 -0400

Roeland Weve wrote:

47 45 54 20 2F 73 65 61 72 63 68 72 65 73 75 6C   GET /searchresul
74 2F 2E 2E 2F 70 69 78 2F 6E 61 76 2F 6D 6F 5F   t/../pix/nav/mo_
30 5F 61 2E 67 69 66 20 48 54 54 50 2F 31 2E 30   0_a.gif HTTP/1.0
0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 3A   ..Referer: http:

I now exlude this host via:
pass tcp any any -> hostip 80


pass tcp any any -> hostip 80 (msg:"pass /../ where acceptable";
uricontent:"/../"; flags:A+;)

-- 
Brian Caswell
The MITRE Corporation

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ignore host for just a couple of rules, not all Roeland Weve (Jun 15)
- Re: ignore host for just a couple of rules, not all Brian Caswell (Jun 15)
- <Possible follow-ups>
- RE: ignore host for just a couple of rules, not all Piers Williams (Jun 19)